ISSA Seeks to Define Generally Accepted Security Principles

The Information Systems Security Association, which has 10,000 members in 100 countries, has issued a global call for volunteers to participate in the development and maintenance of the Generally Accepted Information Security Principles.

The Information Systems Security Association, which has 10,000 security professionals as members in 100 countries, has issued a global call for volunteers to participate in the development and maintenance of the Generally Accepted Information Security Principles (GAISP).

The GAISP aims to be a comprehensive guide to security standards and practices, and will fulfill a third level of effort since activity to define standard security principles. The first two levels are the Pervasive Principles, which target top executive leadership of organizations, and Broad Functional Principles, which targets IT management. The third level, Detailed Principles, is intended to address the day-to-day security measures needed to fulfill the other t2wo levels.

The Detailed Principles will be derived from a review and cross-referencing of existing guidance and standards materials. They will include statements of principle, rationales, examples, cross-references and how-to guidance.

"For years we have had the Generally Accepted Accounting Principles to guide the financial reporting process, but we have not had something similar for information security," says Mike Rasmussen, chairman of the GAISP effort and an information security analyst with Forrester Research. "But the pressure is mounting on information security professionals to comply with mandates, and more legislation is coming down the pike. Organizations are seeing increased liability and exposure."

The goal is to produce a framework that security professionals can use to see where regulations overlap and where they differ.

"If a financial services company for example needs to comply with multiple regulations, they would have a common framework to manage them all," Rasmussen says.

The ISSA is uniquely positioned to develop the security principles, by virtue of its memberships, its strong relationship with other associations, and its objectivity, he says.

"A range of efforts are underway to define security standards, but many of them are vendor-connected," Rasmussen says. "You really want the people in the trenches to fie them and not security vendors with a vested interest in selling their product."

Interested persons can visit www.issa.org/gaisp.html for more information and to download the volunteer applications. Volunteers will be chosen and notified by Sept. 30. The ISSA plans to release a draft of the document by the end of Q1 2004.